Responsible Data Uses: Privacy, Security, Ethics & Compliance
Post on 15-Jul-2015
171 Views
Preview:
Transcript
@aureliepols Stockholm –March 2015 #outfox2015
Responsible Data Uses: Privacy, Security, Ethics & Compliance
Aurélie Pols
Pan-European digital analytics veteran & Privacy geekBoard Member @MyPermissions
@aureliepols Stockholm –March 2015 #outfox2015
Before frictionless sharing
@aureliepols Stockholm –March 2015 #outfox2015
We did optimize “stuff”
@aureliepols Stockholm –March 2015 #outfox2015
The era of Data Hoarding
@aureliepols Stockholm –March 2015 #outfox2015
DATA LEECHING
While some refer to Data Puking, this is about
@aureliepols Stockholm –March 2015 #outfox2015
Data = New Asset Class
• Economic asset:
– if it’s worth something, who owns it?
• Ownership means property:
– Property law, contract law, etc.
• But
@aureliepols Stockholm –March 2015 #outfox2015
DATA IS INFINITELY TRANSFERABLE WITHOUT DECAY
#1. The specifics of Data as an Economic Asset
@aureliepols Stockholm –March 2015 #outfox2015
Familiar property types
• House, mortgage & cadaster
• A car looses 50% of it’s value the day after the purchase
• But data? What is it really?
HYPOTEK Fastighetsregistret
@aureliepols Stockholm –March 2015 #outfox2015
Infinitely transferable without decay
• Interesting type of property
• The legal world is not ready for
• Yet harm is imaginable:
– Deaths of dissidents
– Algorithmic discrimination
– Tunneled world vision
– Identity thefts
– Cyber bullying
@aureliepols Stockholm –March 2015 #outfox2015
DEFINING & RECOGNIZING DATA HARMS
#2. Often forgotten legislative challenges
@aureliepols Stockholm –March 2015 #outfox2015
Involved actors
• Legislators & governments: – make the laws & want to be re-elected
• Businesses (employee, partner & customer data): – growth strategies, max shareholder value
(not always)
• Citizens: – consuming technology,
are the product if free, co-owners of the data?
Governments Legislators (FTC, FCC, FDA, EU)
Consumers Voters Citizens
OUR GLOBAL SOCIETY
Businesses:
Brands
Data Service Providers
@aureliepols Stockholm –March 2015 #outfox2015
Data ownership? The Dutch
KPN is a Dutch Telco
Operations are in the Netherlands, Belgium & Germany
Brands: Hi, Simyo, Telfort& KPN, XS4ALL, E-Plus & Base (sold to Telefonica)
@aureliepols Stockholm –March 2015 #outfox2015
Patchworks of legislation
@aureliepols Stockholm –March 2015 #outfox2015
Legislation about
• Data-breaches!!! <- security
• Copyright
• Intellectual property <- algorithms
• Net-neutrality
• …
Anonymity |Biometrics |CALEA |Cell Tracking |Cyber Security Legislation |Digital BooksDo Not Track (DNT) |Encrypting the Web |International Privacy Standards |Locational PrivacyMandatory Data Retention |Mass Surveillance Technologies |Medical Privacy |National Security LettersNSA Spying |Online Behavioral Targeting (OBA) |Open Wireless |PATRIOT Act |Pen Trap |Printers |Real IDRFID |Search Engines |Search Incident to Arrest |Social Networks |Surveillance Drones |Travel Screening
@aureliepols Stockholm –March 2015 #outfox2015
4 topics
1. Security
2. Compliance
3. Privacy
4. Ethics
@aureliepols Stockholm –March 2015 #outfox2015
Europe: Data Protection
@aureliepols Stockholm –March 2015 #outfox2015
Security for digital analytics
Mainly for (not mutually exclusive):
– Access: employees, partners, APIs, … <- control & revoke procedures? Strong passwords?
– Data transfers: between tools & devices, between companies <- level of encryption? Liability?
– Data merging: which data set goes (or is copied) where? <- data breach notification requirements
@aureliepols Stockholm –March 2015 #outfox2015
COMPLIANCE IS A RISK EXERCISE
#3. Related to evolving Privacy legislation
@aureliepols Stockholm –March 2015 #outfox2015
Privacy & Annoying Europeans
@aureliepols Stockholm –March 2015 #outfox2015
PII: ah but we don’t collect it!
Medical information as PII
California
Arkansas
Missouri
New Hampshire
North Dakota
Texas
Virginia
Financial information as PII
Alaska North Carolina
Iowa North Dakota
Kansas Oregon
Massachusetts South Carolina
Missouri Vermont
Nevada Wisconsin
New York* Wyoming
Passwords as PII
Georgia
Maine
Nebraska
Biometric information as PII
Iowa
Nebraska
North Carolina
Wisconsin
Source: information based on current continuous monitoring (partial results)
@aureliepols Stockholm –March 2015 #outfox2015
A Global Privacy Perspective
US & UK EU ASIA
Common Law Continental Law Partially continental law influenced
Class actions Fines (by DPAs: Data Protection Agencies)
Amended New
Privacy Personal Data Protection (PDP)
Business focused Citizen focused: data belongs to the visitor/prospect/consumer/citizen
Patchwork of sector based legislations: HIPAA, COPPA, VPPA, …
Over-arching EU Directives & Regulations
PII: varies per US state
“Personal Data” => Risk levels: low, medium, high, extremelyhigh
@aureliepols Stockholm –March 2015 #outfox2015
Low Risk
Medium Risk
(profiling)
High Risk
(sensitive)
Risk
Level
Data type
Information Security Measures
Extremely High Risk
(profiling of sensitive data)PII
PII vs. Risk Levels
@aureliepols Stockholm –March 2015 #outfox2015
Data Science concerns?
• As a Data Scientist: doing the best analysis
• As an employee: not getting my company into trouble
• As a citizen:
– Lack of transparency <- loss of controlthat could lead to discrimination
– Identity theft
– Tunneled view of the world
@aureliepols Stockholm –March 2015 #outfox2015
What do analytics tools propose?
Let’s take Google Analytics:
• Anonymizing IP addresses
• Implementing opt-out mechanisms
• Not using cookies
• Complying with DNT
• Forcing SSL
• Disabling data sharing
Source: http://gu.illau.me/posts/privacy-and-google-analytics/
@aureliepols Stockholm –March 2015 #outfox2015
Source: http://dynamical.biz/blog/technical-analytics/collecting-ga-userid-into-ga-can-violate-google-analytics-tos-75.html
@aureliepols Stockholm –March 2015 #outfox2015
Data tension due to data leeching
Analytics capabilities
Customer feelings of creepiness
Harm?
Data quality?
@aureliepols Stockholm –March 2015 #outfox2015
Privacy Role Playing in the EU
@aureliepols Stockholm –March 2015 #outfox2015
Rights & obligations
Roles and responsibilities Data controller must:• Process legally &
fairly• Collect for explicit
& legitimate purposes
• Not excessively• Keep data accurate
& updated• Allow for
rectification• Respect data
retention periods• Protect personal
data, appropriate to the type of data held
@aureliepols Stockholm –March 2015 #outfox2015
UNDERSTAND YOUR LIABILITY WITHIN THE DATA ECOSYSTEM
#4. Minimizing Privacy related Risks?
@aureliepols Stockholm –March 2015 #outfox2015
Who is liable here?
@aureliepols Stockholm –March 2015 #outfox2015
iBeacons, Mondelez: Creepy?
@aureliepols Stockholm –March 2015 #outfox2015
EU GDPR affecting Data Science
• Collaboration & Responsibility (not only legal)
– Privacy training & escalation procedures
• Data lineage & consent management
– Understanding wherethe data comes from
– Manage individualchoices & consent
@aureliepols Stockholm –March 2015 #outfox2015
EU GDPR affecting Data Science
• Change to the data value exchange
– Maintaining quality of data collected & analyzed
• Commercial advantages
– Increased Trust; reduced Brand Erosion due to unsystematic Privacy management
– Better data governance, optimized use of Data Science
@aureliepols Stockholm –March 2015 #outfox2015
1 legal concept to rule them all
FIPPs: Fair information Practice Principles
Transparency
Choice
Information review &
correction
Information protection
Accountability
@aureliepols Stockholm –March 2015 #outfox2015
Open discussion
Aurélie Pols
top related